Local Municipal Website Hacked

As the Clarke County government finalizes preparations to relaunch their website, another local municipality is struggling to defend it’s web site from hackers. Last week the City of Winchester’s website was compromised and it may be part of a security breach that the hacking communities says has been open for years.

Evidence of the attack appeared as a spam link in keyword searches for “Winchester” that linked back to a page under the winchesterva.gov domain. The page was a typical spam page that generated multiple links attempting to sell cheap software. The link was crawled by Google and link back to the Winchester site was titled, “Adobe cs3 master collection price, buy adobe cs3 master collection, buy cs3 master collection.”

The city was notified of the existence of the page and removed it from the URL.

It seems however, that this may be a band-aid response to a much larger problem. Over the past weekend several more hacker generated pages appeared on the Winchester site. An example of the Google results is shown below:

According to the hacking community the City of Winchester site has been an open door for years. A brief internet search produced several hackers claiming credit for earlier hacks who also offered advice to fellow hackers on how to duplicate the feat.The hack centers on a technique called a “SQL Injection.” This allows hackers to enter illicit code into unprotected sites. Once the malicious code is in the database it will auto-generate pages in the site with nefarious content.

A hacker named raahul2008 took credit for an earlier hack stating in online forums: (we have redacted the code)

mmmm guys i did SQLi in this .gov site before 2 days and forgot to post â€¦.
here is the pic:
here is the code:
here are some usernames : password hashes
if you like this you can +REP me
thanks to all my HF friendsâ€¦â€¦â€¦

Other claimed hacks to the site go back as far as 06/08/2009. City of Winchester officials were contacted regarding the security breach. City Manager, Jim O’Connor responded to our inquiries over the weekend and said via email that,”We are aware of problems and our corrective measures are on going. At this point we have not found an absolute solution.”